Those ghosts speak now, according to an article in The Journal Of Communications:
The two German researchers explain how their proof-of-concept malicious code can use a computer’s built-in sound card, speakers and microphone as sending and receiving devices to move information from one infected node to another in similarly compromised machines, providing bot systems are within 20 metres of each other.As in Asimov's story, the bandwidth is very low: 20 bps in this case. But that is useful for all sorts of things, a lot of them unsavory.
The possibility of malware that can communicate over air-gapped machines, or worse still, spread onto them, is a nightmare scenario for those in charge of otherwise well designed ultra-secure networks (think some military systems, power plants etc). Why? Because a "covert acoustical mesh network" wouldn't respond to any of the well-established security measures typically taken by organisations, and disabling the audio components is not always feasible.
"This business will get out of control. It will get out of control and we'll be lucky to live through it."
I'm not sure that I agree with this:
Adam Kujawa, a security researcher at antivirus firm MalwareBytes, reckons the research shows that it's possible for malware-infected machines to chat to each other across an air gap. But he's far from convinced any infection is possible via the method.One thing that I have rather a lot of experience in is forensics on how attacks subvert operating systems. A common theme is old code has the worst vulnerabilities. Now what is likely to be some of the oldest code in an OS? How about the audio I/O? Once you got CD quality audio (back around 1994 or so) there really wasn't much reason to spend much time tweaking that code. My gut tells me that this is likely full of interesting buffer overflows, and that interesting enough data read in from the microphone might be able to trigger one of these. The audio software, of course, runs in the kernel.
Probably I'm just paranoid.* But this is a very new area of computer security, filled with Rumsfeld's Unknown Unknowns. I'm very sure that I don't know very much about what the realms of possibility are here, and suspect that nobody else does either.
* Remember, I was professionally trained to be this way by the finest minds in the Free World. Top. Men.
re: your footnote
ReplyDeleteIt seems a basic assumption of yours that government is not as effective/qualified/experienced as the private sector. It follows from that that you might not be paranoid enough. ;)
My gut tells me that this is likely full of interesting buffer overflows, and that interesting enough data read in from the microphone might be able to trigger one of these.
ReplyDeleteExcept that all the sound input is reading is audio samples. It doesn't try to interpret them, it just stores them. (In a circular buffer I might add - no buffer overruns there.) It takes additional software (a softmodem, which isn't part of the audio driver) to decode those samples and extract anything useful.
I won't say it's impossible to penetrate a clean box via just the microphone, but only because I know people who say things like that often end up eating their words.
@John, ooh, *snap*! ;-)
ReplyDelete@Dave, I have considerable faith in the crummy quality of software, even kernel code. I particularly have a lot of faith that new attack paradigms never considered before will be successful against this code far more often than we'd like. Your mileage may vary, but I'm not comforted even knowing that this is the Most! Secure! Windows! EVAH!!!
Bp, I live in a world similar to what you used to and deal with similar issues. One of my coworkers stated that "an air-gap solution is just a low-bandwidth connection", referring to using CDs to transfer data between enclaves.
ReplyDeleteI thought about the audio-infection process and think that, while plausible, would require infection of both machines, particularly the victim. Microphones are not on by default, and as Dave stated, just taking audio input does not constitute an attack vector. The audio would have to be digitized and then the audio could be used as an exploit.
However, once both machines are infected, I could totally see this as a low-bandwidth data-passing system. Pass data between two classified security enclaves that are air-gapped. You've just created an acoustic coupler/modem, minus the wiring.
Maybe that's why the Russians have reverted to typewriters in their most sensitive locations...
@John When I worked for SSI as a computer forensics tech the company adopted my motto: It is not 'Are you paranoid, but are you paranoid enough'
ReplyDelete@BP I assume this is the real story behind the rumour a couple of months ago about infecting remote computers audibly. This I can believe, the earlier one not so much. However remember probably 90% of all wintel computers all have the AC97 chipset installed on them. IFF someone found a remote exploit at the chip level it would be huge.
@azmrmacs The Russians switched to typewriters because the emfields from displays and keyboards can be easily read and interpreted, this has been the case for years, I have done it with CRTs, but see no reason why LCDs could not also be read.
ReplyDelete*Disclaimer* I'm not much more knowledgeable about computers other than knowing how to type, so if this is laughable let me know.
ReplyDeleteHowever While I understand that microphones are generally off, speakers can be turned off or are off.. Could not a targeted attack change the operating system basic parameters though malware/social engineering/etc to change these defaults then broadcast a signal with out the end user, say me with my lack of observation noticing?
Now while the economic ramifications of this are huge for bank data I would assume that there are easier ways to get this data, like those already in use. But this could be an interesting thing for "Secure" servers from -Major- bank installations, .gov websites or .mil websites or the power grid to be a focused target in such an attack.
Or is that really out in the weeds?
What's that new Motorola phone that's always listening so it can execute commands? I wonder how many people have those linked to their computers?
ReplyDeleteUm, except in very specific (and unusual) circumstances (dedicated videoconference machines, etc.), why does a "secure" computer NEED a microphone?
ReplyDeleteNo mike, no airgap audio input channel. Hell, I usually leave my SPEAKERS off unless I'm watching a video, just to avoid annoying sounds.